January 07, 2011, 4:48 PM — Security researchers have shown that carefully crafted text messages sent to cell phones via short message service (SMS) can cause them to shutdown without the knowledge of the owner. Popular models by Nokia, LG, Samsung, Motorola and Samsung Ericsson are said to be affected by what the researchers call 'SMS-o-Death'.
Researchers from the Berlin Institute of Technology used the simple trick of imitating the data messages network providers send to phones. Usually the messages are used for tasks such as configuring the device for a particular provider, but they can easily be subverted.
Perhaps surprisingly, the attack targets regular "feature phones" rather than smartphones. Feature phones are so-called because they typically perform one or two other tasks, such as MP3 playback or web browsing, in addition to making calls.
Feature phones are significantly less expensive than smartphones, so--although smartphones get most press attention--out in the real world they find most use amongst the world's population. Therefore, the scale of the hack could be huge.
The researchers made their discoveries by creating their own testbed cell phone tower in a lab shielded from outside signals. They monitored communications from the phone and by doing so were able to create messages that attacked every single model of phone they studied.
To attack an individual's phone, one would need to know the make and model. However, a large-scale random denial of service attack would be easy to carry out: with a little research to find the most popular phone models on the market today, an attacker could send a series of messages targeting each phone to specific or random numbers via the various Internet gateways that allow bulk text message sending. Anybody receiving the dodgy message would have their phone silently switch off, without their knowledge. If the hack didn't work on a user's particular model of phone, it would simply be ignored as gibberish.
Of course, the researchers are keeping secret their exact methods but now the cat is out of the bag it won't be long until hackers come up with their own versions.
There's little that can be done to thwart attacks. Phone firmware could be reprogrammed to block such messages, but the majority of non-smartphone owners simply don't update their phones. Many aren't even aware it's possible, and those who are often avoid doing so for fear updating to buggy software, something that sadly is all too common. Often inexpensive phones come without a USB cable, making updating impossible unless one is purchased.